Skip to content

Disable REST API endpoints for internal post types #2463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

Disable REST API endpoints for internal post types #2463

wants to merge 2 commits into from
+7 −3

Conversation

@obenland
Copy link
Member

@obenland obenland commented Nov 13, 2025

Fixes #

Proposed changes:

  • Disable REST API access for internal custom post types (ap_inbox, ap_outbox, ap_post) by setting 'show_in_rest' to false

Other information:

  • Have you written new tests for your changes, if applicable?

Testing instructions:

Changelog entry

  • Automatically create a changelog entry from the details below.
Changelog Entry Details

Significance

  • Patch
  • Minor
  • Major

Type

  • Added - for new features
  • Changed - for changes in existing functionality
  • Deprecated - for soon-to-be removed features
  • Removed - for now removed features
  • Fixed - for any bug fixes
  • Security - in case of vulnerabilities

Message

Disable REST API endpoints for internal post types.

@obenland
Disable REST API endpoints for internal post types
dc104d9 
This change disables REST API access for the ap_inbox, ap_outbox, and ap_post custom post types by setting 'show_in_rest' to false.
Copilot AI review requested due to automatic review settings November 13, 2025 20:28
@obenland obenland self-assigned this Nov 13, 2025
@obenland obenland requested a review from a team November 13, 2025 20:28
Copilot AI reviewed Nov 13, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security/privacy concern by disabling REST API access for internal ActivityPub post types that should not be publicly accessible through WordPress's REST API.

Key Changes:

  • Modified three custom post type registrations (ap_inbox, ap_outbox, ap_post) to set 'show_in_rest' from true to false
  • Added changelog entry documenting this fix

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
includes/class-post-types.php Disabled REST API exposure for three internal post types by setting 'show_in_rest' to false
.github/changelog/2463-from-description Added changelog entry documenting the fix

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@obenland obenland

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@obenland @matticbot